I have developed the previous version of this project (TWMAN) when I worked in NCHC. Unfortunately, I have give up this job on 2011/09/28 but why I still maintain the new version of this project (TWMAN+) ? this is because I hope I can do something for security research. Therefore,

It is widely pointed out that classical ontology is not sufficient to deal with imprecise and vague knowledge for some real world applications like malware (include Botnet, Virus, Backdoor and Trojan etc…) behavioral analysis. In addition, malware has become a growing important problem for governments and commercial organizations. Antimalware applications represent one of the most important research topic in the area of information security threat. As a consequence, enhanced systems for analyzing the behavior of malwares are needed in order to try to predict their malicious actions and minimize eventual computer damages. Many researchers try to use virtual machine (VM) system to monitor the malware behaviors, but there are many Anti-VM techniques which are used to ward off the collection, analysis, and reverse engineering features of the VM based malware analysis platform. Therefore, malware researcher would get inaccurate analysis results from VM based malware analysis platform. For this reason, we have developed Taiwan Malware Analysis Net (TWMAN) to improve the accuracy of malware behavioral analysis and which has intergraded Type I Fuzzy Logic (TIFL), ontology and Fuzzy Markup Language (FML). TWMAN was based on Type I Fuzzy Ontology model and which focuses on using real operation system environment to analysis malware behavioral. Indeed, there are many research has shown that there are limitations in the ability of T1FL to model and minimize the effect of uncertainties. This is because a T1FL is certain in the sense that its membership grades are crisp values. For above reason, in this project we try to bridge this gap byInterval Type II Fuzzy Logic (IT2FL) and applied to TaiWan Malware Analysis Net which has also integrate eggdrop and glftpd and make it as a cloud service (software as a service) on Google App Engine with Python and Android：TWMAN+. We believe this system would be helpful to improve the correctness of malware analysis result and reduce the loss rate of malware analysis.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

3. Virtual

4. Multi Clients

5. Cluster

TWMAN

Abstract :

Malware is an important topic of security threat research. In this project, a behavioral malware analysis system TWMAN was presented. This project focuses on using real operation system (OS) environment to analysis malware behavioral. Many researchers try to use virtual machine (VM) system to monitor the malware behaviors. These malware samples will only compromise the virtual operating system or virtual machine, which cannot reflect in the real operating system or real environment. Therefore, some malware researchers don’t want their sample to be analyzed in VM environment, because the analyzer cannot much useful information in VM environment.

There are many Anti-VM techniques which are used to ward off the collection, analysis, and reverse engineering features of the VM based malware analysis platform. There are differences between these two behaviors: malware behavior in real environment and in virtual environment. Therefore, malware researcher would get inaccurate analysis results from VM based malware analysis platform. In order to retrieve correct malware behavioral information, we need flexible, adaptable, and quickly analysis environment, which could discovery malware behavioral in real operation system environment, and which can quickly restore clear operation system to analysis another malware sample. For this reason, this project developed Taiwan Malware Analysis Net（TWMAN）, a real operation system environment for malware behavioral analysis and analysis report. We believe this system would be helpful to improve the correctness of malware analysis result and reduce the loss rate of malware analysis.

Introduction :

In recent years, network security events were occurred frequently. They created disasters all around the world, including internet fraud activities, and data theft, etc… Malware was the key culprit. Therefore, how to detect Malware is a very important issue for network security. Malware has the potential to harm the machine, which designed to infiltrate or damage a computer system without the owner’s informed consent (e.g., viruses, backdoors, spyware, Trojans and worms)[1].

Malware Analysis :

The proliferation of malware continues to grow up at a staggering rate. It is estimated that 250 new variants of malware introduced into the world every day [4].Malwares are used to compromise and steal the users private data by the vulnerabilities of exploiting software. In the last several years, Internet malware attacks have grown up rapidly. Especially in 2008, the malware attack becomes more and more serious[5].

Up to the present, there are only two methods for malware behavioral analysis. One is the static analysis (code analysis). The other one is dynamic analysis (malware behavioral analysis), which can analyzes the network traffic of malware behavior and monitors the infected system to find out the changed files or registers.

In addition, some of the malware has been found that they exhibit the similar behavioral patterns, such as the usage of specific rules or modifications of particular system files [7, 8].Malware behavioral analysis can determine the behavior of malware. Although this technique have become more and more popular, the anti-detection technique of malware still grows up rapidly[9]. Behavioral analysis technique can be applied to monitor the behavior of the malware that infects your computer system by network traffic. [10]. Malware behavioral analysis techniques have focused on obtaining reliable and accurate information on execution of malicious programs previously [11].

Although, many malware behavioral analysis have been developed by the software companies, such as the Norman Sandbox, Virus Total and Threat Expert[12, 7, 13, 8], some malware behavior still cannot be detected for fractional exceptional malware. The reason is that those malware can distinguish that the environment they stay in is a virtual or real environment. If they find out they stay in the virtual environment, they will try to obfuscate the monitor, and this mechanism will make the analysis result to be a fault report. Making the virtual machine to crash and detecting the existence of virtual environment are two main techniques to evade the analysis of VM based analysis.

We developed a real operation system (OS) environment to analysis malware behavioral, named Taiwan Malware Analysis Net (TWMAN). In the following, we will focus on how to use this real OS environment to analysis malware behavioral and describe the system structure of TWMAN briefly. In order to verify the analysis result obtained from TWMAN is more correct, it is compared with that from sandboxs, which are VM-based and Real OS analysis technique with CWSandbox of Sunbelt Software.

Don’t worry about breaking the system when it comes time for a TWMAN update.

Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware.Truman consists of a Linux boot image (originally based on Chas Tomlin’s Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a Physical Memory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.

dd：a common Unix program whose primary purpose is the low-level copying and conversion of raw data.

Clonezilla Live：a small bootable GNU/Linux distribution for x86/amd64 (x86-64) based computers. Clonezilla SE (Server Edition) has been developed from 2004, and it is used to clone many computers simultaneously. It is an extremely useful tool, however, it does have several limitations. In order to use it, you must first prepare a DRBL server AND the machine to be cloned must boot from a network (e.g. PXE/Etherboot/gPXE). To address these limitations, in 2007, the Free Software Lab at the NCHC has combined Debian Live with Clonezilla to produce "Clonezilla Live," a software that can be used to easily clone individual machines. The primary benefit of Clonezilla Live is that it eliminates the need to set up a DRBL server ahead of time and the need for the computer being cloned to boot from a network. Clonezilla Live can be used to clone individual computers using a CD/DVD or USB flash drive. Though the image size is limited by the boot media’s storage capacity, this problem can be eliminated by using a network filesystem such as sshfs or samba.

RegRipper was created and maintained by Harlan Carvey. RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations. RegRipper has been downloaded over 5000 times and used by examiners everywhere. Further, RegRipper is NOT intended for use with live hive files. Hive files need to be extracted from a case (or from a live system usingFTK Imager…), or accessible via a tool such as Mount Image Pro or F-Response. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

3. AIDE：http://aide.sourceforge.net/stable/manual.html

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.